AWS Certificate Manager Private Certificate Authority
AWS Private Certificate Authority Documentation (API Version 2017-08-22)


Assigns permissions from a private CA to a designated AWS service. Services are specified by their service principals and can be given permission to create and retrieve certificates on a private CA. Services can also be given permission to list the active permissions that the private CA has granted. For ACM to automatically renew your private CA's certificates, you must assign all possible permissions from the CA to the ACM service principal.

At this time, you can only assign permissions to ACM ( Permissions can be revoked with the DeletePermission action and listed with the ListPermissions action.

Request Syntax

{ "Actions": [ "string" ], "CertificateAuthorityArn": "string", "Principal": "string", "SourceAccount": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


The actions that the specified AWS service principal can use. These include IssueCertificate, GetCertificate, and ListPermissions.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 3 items.

Valid Values: IssueCertificate | GetCertificate | ListPermissions

Required: Yes


The Amazon Resource Name (ARN) of the CA that grants the permissions. You can find the ARN by calling the ListCertificateAuthorities action. This must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=/,.@-]+)*

Required: Yes


The AWS service or identity that receives the permission. At this time, the only valid principal is

Type: String

Length Constraints: Minimum length of 0. Maximum length of 128.

Pattern: ^[^*]+$

Required: Yes


The ID of the calling account.

Type: String

Length Constraints: Fixed length of 12.

Pattern: [0-9]+

Required: No

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.


For information about the errors that are common to all actions, see Common Errors.


The requested Amazon Resource Name (ARN) does not refer to an existing resource.

HTTP Status Code: 400


The private CA is in a state during which a report or certificate cannot be generated.

HTTP Status Code: 400


An ACM Private CA limit has been exceeded. See the exception message returned to determine the limit that was exceeded.

HTTP Status Code: 400


The designated permission has already been given to the user.

HTTP Status Code: 400


The request has failed for an unspecified reason.

HTTP Status Code: 400


A resource such as a private CA, S3 bucket, certificate, or audit report cannot be found.

HTTP Status Code: 400



Sample Request

POST / HTTP/1.1 Host: X-Amz-Target: CertificateManager.CreatePermission X-Amz-Date: 20190207T170903Z User-Agent: aws-cli/1.10.20 Python/2.7.3 Linux/3.13.0-83-generic botocore/1.4.11 Content-Type: application/x-amz-json-1.1 Authorization: AUTHPARAMS, SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, Signature=379429306c5e89b9b4be5b35e29c26cc1da38215d8055a5ed0bdda57bcc881cc { "Actions": { "IssueCertificate", "GetCertificate", "ListPermissions" }, "CertificateArn":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012", "Principal":"", "SourceAccount":"012345678901" }


Sample Response

HTTP/1.1 200 OK x-amzn-RequestId: 3c8d676d-025e-11e6-8823-93164b47113c Content-Type: application/x-amz-json-1.1 Content-Length: 0 Date: Thu, Feb 7 2019 17:09:05 GMT

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: